I don't think this will really fix any vulnerabilities, because the core issue are R references, not r references. If this prevents a vulnerability using r, you can usually replicate something similar using R instead.

However, I still agree that it makes sense to restrict this. Especially because unserialize() currently allows creating structures that are just impossible in plain PHP, such as cyclic arrays without use of references (GLOBALS notwithstanding).

The check looks too strict to me though. Shouldn't it first DEREF the value before performing the OBJECT check? (E.g. for something like "a:3:{i:0;O:8:"stdClass":0:{}i:1;R:2;i:2;r:2;}", in which case r:2 will be a REF to OBJECT).

Thanks, for catching. You are right. I'll fix the patch a bit later. Just add DEREF.